I’ve gotten worked up about CCO liability cases. Many have been sloppy about using consistent standards. A recent case case caught my eye because the CCO was charged because of identity theft.
At first I thought the case might be an aggressive position to charge the CCO because a cybersecurity breach resulted in identity theft at the firm. I opened the case and was ready to be angry. Then, I discovered it was very strange case.
The CCO was the one who had stolen identity information. So that bad activity clearly fall into the “CCO is involved in the wrongdoing” standard for CCO liability.
The reasons he stole employee identities?
From November 2011 through June 2015, [the CCO] forged the signatures of ten Firm employees and used their confidential personal information to create false online bidding accounts at three auction houses in their names, and to participate in 26 auctions, without the employees’ authorization. [the CCO] engaged in this conduct after the auction houses prohibited him from participating in auctions, because he had previously failed to pay for or collect items he had won at auction.
Definitely a case where the CCO was involved in the wrongdoing. Employees were harmed. Liability is clearly appropriate.
[Updated to remove the CCO name after a request and a review of remediation]
Sources: